Re: Domainkeys and ISPs

To: debian-isp@lists.debian.org
Subject: Re: Domainkeys and ISPs
From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
Date: Thu, 13 Mar 2008 12:18:14 +0100
Message-id: <20080313111814.GA20883@fantomas.sk>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <slrnftgbiv.omt.spambait@truffula.sj.ca.us>
References: <a6oTh-6hp-5@gated-at.bofh.it> <a6wnM-1lv-19@gated-at.bofh.it> <a6zce-5UT-27@gated-at.bofh.it> <slrnftgbiv.omt.spambait@truffula.sj.ca.us>

> [This message has also been posted to linux.debian.isp.]
> In article <a6zce-5UT-27@gated-at.bofh.it>, Michael Sprague wrote:
> > Second, let's say spammer@spammer.com sends a message to
> > user@example.com and it gets by our spam filtering.  We forward to
> > user@yahoo.com.  If we sign it, are we helping spammer.com in any way?

1. You should not sign it, since the message wasn't generated by your
user/on your servers.

2. No, you are not helping spammer, but you are making problems to yourself
- someone may check your signature and think that you generated the message
and thus it's you who sent the spam.

On 12.03.08 12:26, cls@truffula.sj.ca.us wrote:
> It seems to me DKIM is just not compatible with forwarding,
> for that reason.  Most of my users have mailbox and outbound
> relay service from their ISPs.  They use the domains they
> host with me partly to hide that fact.  

DKIM _is_ compatible with forwarding, and it's DKIM's main advantage over
e.g. SPF which is not, unless you rewrite sender's address.
(there are more issues about this, I don't want to talk about it here and
now)

The whole purpose of DKIM is that sender's mail servers sign mail message,
configming that it really came out of the message (which should lead of
course to the fact that they have verified the sender, so the sender address
if not fake). 

So, when _anyone_ forwards you DKIM-signed message claiming to be from
someone, you can verify the DKIM signature and see if it really is from whom
it claims to be, or reject it (or mark it as spam) if the signature is
incorrect.

So you see there may be many forwardings between the real sender and you.
The problem will appear only if someone in the way will change the message,
or the signature (so, again, you must not sign forwarded message)

> Maybe forwarding just isn't going to be practical any more.

It's just only people not understanding the problem(s) :)
However, yes, there are problems with forwarding about trust.
DKIM makes it a bit safer.
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.

Reply to:

References:
- Re: Domainkeys and ISPs
  - From: cls@truffula.sj.ca.us

Prev by Date: Re: Domainkeys and ISPs
Next by Date: Re: Domainkeys and ISPs
Previous by thread: Re: Domainkeys and ISPs
Next by thread: synchroniser
Index(es):
- Date
- Thread